CVE-2026-44716 is a high-severity path traversal vulnerability in pipecat-ai (pip), affecting versions >= 0.0.90, < 1.2.0. It is fixed in 1.2.0.
Summary A path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access, including SSH private keys, credentials, and system files, with a single unauthenticated HTTP request. Confirmed on pipecat-ai 1.1.0 (latest PyPI release) and commit f078df78058ae82a02ce5b23e9e3a99a0917a53d. Details The vulnerable code is in src/pipecat/runner/run.py, inside the configureserverapp() function, lines 249–264: Path(args.folder) / filename joins the caller-supplied filename onto the base directory without calling .resolve() or checking isrelativeto. Python's pathlib does not strip .. segments during join, only .resolve() does. Starlette strips literal ../ from the URL path before the route handler runs, but it decodes percent-encoded characters inside the matched path parameter value. Because %2F decodes to / after the router has already matched the route, the value that reaches filename can contain / characters, enabling directory traversal. For example: The endpoint has no authentication, the runner does not implement any auth layer, so the request requires no credentials. Proof of Concept Step 1, Start the Pipecat runner with --folder The runner requires a bot script with a bot() entry point. A minimal script that keeps the HTTP server alive without any transport logic: Start the runner: Expected output: <img width="1626" height="462" alt="image" src="https://github.com/user-attachments/assets/912e8ea2-cff9-4a36-a6be-e85091d9f89f" /> Step 2, Exploit Confirmed results (pipecat-ai 1.1.0, tested 2026-04-29) | Request | HTTP status | Content | |---------|-------------|---------| | GET /files/recording.txt | 200 | Legitimate file | | GET /files/../../etc/passwd | 404 | Blocked, literal .. normalised away | | GET /files/..%2F..%2Fetc%2Fpasswd | 200 | Full /etc/passwd | | GET /files/..%2F..%2F..%2Fhome/…/.ssh/idrsa | 200 | RSA private key (BEGIN OPENSSH PRIVATE KEY) | <img width="2222" height="516" alt="image" src="https://github.com/user-attachments/assets/4c7a014c-8646-479a-8439-b8e722a69e49" /> <img width="1304" height="314" alt="image" src="https://github.com/user-attachments/assets/14f71b3f-2a35-4d2b-8049-8af758fbc6ba" /> <img width="1188" height="390" alt="image" src="https://github.com/user-attachments/assets/53fe2b33-2cd3-4745-b9f2-7aa426318e00" /> Impact The --folder flag is a documented, first-class feature of the runner: the runnerdownloadsfolder() helper and -f / --folder CLI argument are part of the public API. The runner documentation includes LAN-deployment examples (--host 192.168.1.100 for ESP32 integration). In those deployments, any host on the local network can exploit this with zero credentials. An attacker who can reach the runner port and knows --folder is active can retrieve any file readable by the pipecat process: SSH private keys and TLS certificates .env files and application credentials Database files, session tokens, API keys System files such as /etc/passwd and /etc/shadow (on Linux) Source code, config files, and secrets in parent directories of --folder Remediation Call .resolve() on both the base path and the joined path, then assert containment with isrelativeto: Path.resolve() expands all .. components and follows symlinks before isrelativeto compares the paths, so neither %2F-encoded separators nor symlink chains can escape the allowed base.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-44716 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.2.0). Upgrading removes the vulnerable code path.
pip
pipecat-ai (>= 0.0.90, < 1.2.0)pipecat-ai → 1.2.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-44716 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-44716 is reachable in your applications. Get a demo
Upgrade pipecat-ai to 1.2.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-44716 is a high-severity path traversal vulnerability in pipecat-ai (pip), affecting versions >= 0.0.90, < 1.2.0. It is fixed in 1.2.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-44716 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pipecat-ai (pip) versions >= 0.0.90, < 1.2.0 is affected.
Yes. CVE-2026-44716 is fixed in 1.2.0. Upgrade to this version or later.
Whether CVE-2026-44716 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade pipecat-ai to 1.2.0 or later.